Web apps: These only have a basic level of permissions, and don't have access to privileged or internal APIs.

Privileged apps: These have all the permissions of web apps plus more. Hosted apps can't be privileged — they must be packaged apps.

Internal (certified) apps: These have all the permissions of privileged and web apps plus more. Certified/internal apps can only be installed on a device by Mozilla or a device vendor; not 3rd party developers.

Nota: If you use the App Manager/WebIDE to test your app, it will display an easy to read table of which permissions are allowed, denied, or require a prompt on the current device or simulator you are connected to.

Display a notification on the user's desktop. Note that this has changed, so for Gecko <22 (Firefox OS <1.2) you need to use mozNotification, while for Gecko 22+ (Firefox 1.2+) you need to use Notification.

Allows anonymous (no cookies) cross-origin XHR without the target site having CORS enabled. Similar to the TCP Socket API but restricted to XHR, not just raw sockets, so it is slightly less risky. See XMLHttpRequest.

Note: To declare an app as privileged, you need to put "type" : "privileged" into your app manifest. You don't need to include the type field in your manifest for web apps, as web is the default value.

Internal (Certified) app permissions

The following permissions require a internal app and are granted implicitly without prompting the user. Most app developers will not be able to use internal APIs, because they are intended for system-level apps and default apps created by Mozilla/operators/OEMs.

Enables an app opened in a browser <iframe> to call methods of the API on — and listen and respond to related events fired by — itself (usually the parent window of the iframe calls the Browser API.) See bug 1196654 for further information.